[Nfdump-discuss] Wrong direction for NSEL 'ibytes' and 'obytes'

Thu, 02 Jun 2016 05:56:04 -0700

Using a Cisco ASA 8.4(7)30 with NSEL. This gives separate counters for "ibyte" and "obyte" 

Now, using a test wget:
wget https://files.pfsense.org/mirror/downloads/pfSense-CE-2.3.1-RELEASE-amd64.iso.gz --2016-06-02 13:16:45-- https://files.pfsense.org/mirror/downloads/pfSense-CE-2.3.1-RELEASE-amd64.iso.gz Resolving files.pfsense.org (files.pfsense.org)... 162.208.119.39, 2610:1c1:3::109 Connecting to files.pfsense.org (files.pfsense.org)|162.208.119.39|:443... connected. 

... (aborted with ^C after 30MB of download) ...

Then looking at the nfdump output:
$ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -R 2016/06/02/nfcapd.201606021310 -n 10 'host 192.168.5.110 and host 162.208.119.39' Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2016-06-02 13:16:45.551 CREATE Ignore TCP 192.168.5.110:40246 -> 162.208.119.39:443 xxx.xx.xx.4:40246 -> 162.208.119.39:443 0 0 2016-06-02 13:16:45.551 DELETE 2031 TCP 192.168.5.110:40246 -> 162.208.119.39:443 xxx.xx.xx.4:40246 -> 162.208.119.39:443 645 31.4 M Summary: total flows: 2, total bytes: 31411053, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0 
Time window: 2016-06-02 09:22:56 - 2016-06-02 13:19:59
Total flows processed: 96947, Blocks skipped: 0, Bytes read: 12094556
Sys: 0.080s flows/second: 1211761.8  Wall: 0.077s flows/second: 1253516.9
Notice that we have "In Byte" = 645, "Out Byte" = 31.4M. This appears to be the wrong way round, given my expectation that "out" would be in the "src -> dst" direction. ("-o raw" output is at the end of this mail) 

The canonical documentation is
http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html
and the fields of interest are
NF_F_FWD_FLOW_DELTA_BYTES, NF_F_REV_FLOW_DELTA_BYTES

NF_F_FWD_FLOW_DELTA_BYTES

        

231

        

4

        

The delta number of bytes from source to destination.

NF_F_REV_FLOW_DELTA_BYTES

        

232

        

4

        

The delta number of bytes from destination to source.


This makes it clear that FWD is outbound, and REV is inbound.

Here is the code in bin/netflow_v9.c:
{ NF_F_FLOW_BYTES, "ASA bytes", _4bytes, _8bytes, move32_sampling, zero64, EX_NSEL_COMMON }, { NF_F_FLOW_BYTES, "ASA bytes", _8bytes, _8bytes, move64_sampling, zero64, EX_NSEL_COMMON }, { NF_F_FWD_FLOW_DELTA_BYTES, "ASA fwd bytes", _4bytes, _8bytes, move32_sampling, zero64, EX_NSEL_COMMON }, { NF_F_FWD_FLOW_DELTA_BYTES, "ASA fwd bytes", _8bytes, _8bytes, move64_sampling, zero64, EX_NSEL_COMMON }, { NF_F_REV_FLOW_DELTA_BYTES, "ASA rew bytes", _4bytes, _4bytes, move32_sampling, zero32, EX_OUT_BYTES_4 }, { NF_F_REV_FLOW_DELTA_BYTES, "ASA rew bytes", _8bytes, _8bytes, move64_sampling, zero64, EX_OUT_BYTES_8 }, 
...
        if ( cache.lookup_info[NF_F_FLOW_BYTES].found ) {
                // NSEL ASA bytes
PushSequence( table, NF_F_FLOW_BYTES, &offset, &table->bytes); 
        } else if ( cache.lookup_info[NF_F_FWD_FLOW_DELTA_BYTES].found ) {
                // NSEL ASA 8.4 bytes
PushSequence( table, NF_F_FWD_FLOW_DELTA_BYTES, &offset, &table->bytes); 
        } else {
                PushSequence( table, NF9_IN_BYTES, &offset, &table->bytes);
        }
...
                        case EX_OUT_BYTES_4:
if ( cache.lookup_info[NF_F_REV_FLOW_DELTA_BYTES].found ) { PushSequence( table, NF_F_REV_FLOW_DELTA_BYTES, &offset, &table->out_bytes); 
                                } else {
PushSequence( table, NF9_OUT_BYTES, &offset, &table->out_bytes); 
                                }
                                break;
                        case EX_OUT_BYTES_8:
if ( cache.lookup_info[NF_F_REV_FLOW_DELTA_BYTES].found ) { PushSequence( table, NF_F_REV_FLOW_DELTA_BYTES, &offset, &table->out_bytes); 
                                } else {
PushSequence( table, NF9_OUT_BYTES, &offset, &table->out_bytes); 
                                }
                                break;
So it seems to me that this should be REV in the middle block of code, and FWD in the last block of code.
Unfortunately, that would be a breaking change for existing netflow data, and we would need a tool to patch historical data :-( But perhaps this is worthwhile hit? Otherwise we are stuck with the directions being the wrong way round forever. 

Regards,

Brian.

--------
$ nfdump -M /var/nfsen/profiles-data/live/wrn-asa1 -T -R 2016/06/02/nfcapd.201606021310 -o raw 'host 192.168.5.110 and host 162.208.119.39' 

Flow Record:
  Flags        =              0x46 EVENT, Unsampled
  export sysid =                 1
  size         =               136
  first        =        1464869805 [2016-06-02 13:16:45]
  last         =        1464869805 [2016-06-02 13:16:45]
  msec_first   =               551
  msec_last    =               551
  src addr     =     192.168.5.110
  dst addr     =    162.208.119.39
  src port     =             40246
  dst port     =               443
  fwd status   =                 0
  tcp flags    =              0x00 ......
  proto        =                 6 TCP
  (src)tos     =                 0
  (in)packets  =                 0
  (in)bytes    =                 0
  connect ID   =         935742156
  fw event     =                 1: CREATE
  fw ext event =                 0
  Event time   =     1464869815568 [2016-06-02 13:16:55.568]
  src xlt port =             40246
  dst xlt port =               443
  src xlt ip   =       xxx.xx.xx.4
  dst xlt ip   =    162.208.119.39
  Ingress ACL  =       0x3824e131/0xb0dc369a/0x0
  Egress ACL   =       0x0/0x0/0x0
  User name    =           <empty>


Flow Record:
  Flags        =              0x46 EVENT, Unsampled
  export sysid =                 1
  size         =                92
  first        =        1464869805 [2016-06-02 13:16:45]
  last         =        1464869805 [2016-06-02 13:16:45]
  msec_first   =               551
  msec_last    =               551
  src addr     =     192.168.5.110
  dst addr     =    162.208.119.39
  src port     =             40246
  dst port     =               443
  fwd status   =                 0
  tcp flags    =              0x00 ......
  proto        =                 6 TCP
  (src)tos     =                 0
  (in)packets  =                 0
  (in)bytes    =               645
  out bytes    =          31410408
  connect ID   =         935742156
  fw event     =                 2: DELETE
  fw ext event =              2031
  Event time   =     1464869830655 [2016-06-02 13:17:10.655]
  src xlt port =             40246
  dst xlt port =               443
  src xlt ip   =       xxx.xx.xx.4
  dst xlt ip   =    162.208.119.39
Summary: total flows: 2, total bytes: 31411053, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0 
Time window: 2016-06-02 09:22:56 - 2016-06-02 13:19:59
Total flows processed: 96947, Blocks skipped: 0, Bytes read: 12094556
Sys: 0.084s flows/second: 1154076.0  Wall: 0.079s flows/second: 1213825.1

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to